Author Topic: Inability to authenticate hits us right where it hurts - security!  (Read 26328 times)

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14647
    • Video Blog
Inability to authenticate hits us right where it hurts - security!
« on: September 18, 2008, 10:29:01 PM »
Inability to authenticate hurts us

please feel free to share your views with us.

thanks

Melih
« Last Edit: September 19, 2008, 09:09:38 AM by Melih »

Offline gibran

  • Average User
  • Comodo's Hero
  • *****
  • Posts: 5056
  • A bad workman always blames his tools
Re: Inability to authentication hits us right where it hurts - security!
« Reply #1 on: September 19, 2008, 03:59:16 AM »
Authentication through diigital signing sure it opens many new possibilities.

It's too bad that many end users don't know much about that nor how to use digital signature to check software integrity.

With a digital signature it is possible to confirm both the developer and validate the software against tampering and it provide much more reliable info about developers than a normal Version Info tab.

Adding digital signature support in security software is the way to go not only to create a list of trusted vendors but also a list of untrusted ones (eg to use it for parental control purposes).

Most of these rogue developers don't even bother to digitally sign their apps since that would mean to let everyone know their real address.
Thus this  will often be enough to confirm that an application was built by a legit developer.

Usually almost all software installer has to be digitally signed in order to get Windows Logo Seal.
« Last Edit: September 19, 2008, 04:12:13 AM by gibran »
"In the beginning the Universe was created. This has made a lot of people very angry and has been widely regarded as a bad move."- Douglas Adams

Offline LaserWraith

  • pillow fighting fool
  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 4590
  • I'm going to go out with a bang
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #2 on: September 26, 2008, 04:41:32 PM »
Ok, this is a bit  !ot!, but I wanted to say it:

The title, or whatever the text is called that shows on the browser tab, of Melih's website is in all CAPs, which makes it look like one of those attacker sites.  I know Melih is a security guy, so this is just a comment to make his website not seem like a "bad guy's" site.

Offline tukapua

  • Newbie
  • *
  • Posts: 2
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #3 on: December 12, 2008, 04:03:44 AM »
when i brought this pc i asked my isp for an antivirus and they sent me the link to free macafee which worked for about a month then i found that it was always going down, so i eventually deleted the whole suite. now i had no protection, then i remembered an it guy sayin he thought comodo was pretty good
 so i put comodo in my browser and up it came offering free service. now
 im uncertain if its comodos doin, but my pc is goin like a rocket now!!! and i have a very limited broadband program which slows to dial up very quickly. so far it is still loading stuff at breakneck speed and im crossing everything in the hope that it really is comodos doing and not my broad band. anyway even if it is broadband i am really glad i have comodo as my pc's protection. thank you melih!
 

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14647
    • Video Blog
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #4 on: December 12, 2008, 09:02:38 AM »
when i brought this pc i asked my isp for an antivirus and they sent me the link to free macafee which worked for about a month then i found that it was always going down, so i eventually deleted the whole suite. now i had no protection, then i remembered an it guy sayin he thought comodo was pretty good
 so i put comodo in my browser and up it came offering free service. now
 im uncertain if its comodos doin, but my pc is goin like a rocket now!!! and i have a very limited broadband program which slows to dial up very quickly. so far it is still loading stuff at breakneck speed and im crossing everything in the hope that it really is comodos doing and not my broad band. anyway even if it is broadband i am really glad i have comodo as my pc's protection. thank you melih!
 

We care when we code our programs. We make sure to provide the most efficient and high performance code possible and hence you are seeing the benefit you are!

Our users deserve nothing less!

Melih

Offline 00hmh

  • Comodo Loves me
  • ****
  • Posts: 104
Comodo credibility hurt by certificate resellers?
« Reply #5 on: December 26, 2008, 11:24:26 AM »
Melih,

What's the story on the linked problem with certificate resellers?

http://benjamin.smedbergs.us/blog/2008-12-24/how-to-disable-the-comodo-root-certificate-in-firefox/

Whether it is truly a problem or not, many tech savvy people have come across this.  I noticed it in Steve Gibson's GRC newsgroups, and found this link there.  I would expect Comodo to respond publicly to these reports and at least have a company response available online to get the other side of the story out.   If you have done so, please post the link.

Offline The Joker

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 564
  • Let’s put a smile on that face!
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #6 on: December 26, 2008, 02:59:30 PM »
And here http://blog.mozilla.com/rob-sayre/2008/12/24/dismay/ they talk about COMODO fiasco!
« Last Edit: December 26, 2008, 03:01:16 PM by Eduardo »
HP Pavilion DV4 2040BR l Windows 7 SP1 Home Premium x64 l CIS 7.0 BETA (Proactive Security) (AV: Stateful l FW: Safe Mode l HIPS: Safe Mode l Sandbox: Fully Virtualized)

______________________________

It's all part of the plan!

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14647
    • Video Blog
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #7 on: December 26, 2008, 03:38:12 PM »
One of our resellers had an issue in their system. We take this very seriously . We acted quickly and revoked the cert, we have suspended the reseller account, we are re-doubling our auditing and re-evaluating our procedures.  We are not the first to suffer in the hands of DV certs ( DV certs are not for ecommerce)(there simply is no standard for these kind of certs) and we won't be the last :( until a standard setup for DV certs. As it happens Comodo put forward a new proposal for a minimum standard for DV certs on 2nd of Dec 2008 (just few weeks ago) to the cabforum (the org that I initiated in 2005). As you all know, CABForum created the EV SSL standard for high assurance SSL certs called EV SSL (which creates a ceiling for high assurance validation) but there is no standard for where the floor should be for lower assurance certs like DV certs.

We hope this latest event will act as a catalyst to unite the industry and come up with a minimum standards for DV certs. DV certs have no place in the world of Ecommerce. Minimum standard for DV certs is well overdue! We owe it to our users!

Melih
« Last Edit: December 26, 2008, 03:42:08 PM by Melih »

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #8 on: December 26, 2008, 08:48:25 PM »
Hi Guys,

That is an interesting and important issue to discuss.

Apart from authentication and alleged “fiasco” I would make a short note regarding Digital Signature issue raised by gibran
Quote from: gibran
It's too bad that many end users don't know much about that nor how to use digital signature
… indeed and absolutely True…

At the same time it looks like that the way it is implemented, maintained, used and so on... it does not provide much.
Just grab Autoruns from SysInternals (now it belongs to Microsoft); check “Verify code signature”; hit Refresh and enjoy “Not verified” in the list. The most of items (a lot!) will be from Microsoft. And who had any doubts about that one ? :).
I am sure you will find some important security software you are using and other important “pieces of code” unsigned too. Comodo is fine in this respect  ;)
 
Probably
Quote from: gibran
Adding digital signature support in security software is the way to go…
but it seems that currently it doesn’t make a lot of sense. The approach, implementation and the way it somehow can help end user from security point of view should be completely re-designed, probably from the scratch. Another way to go?

Cheers
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14647
    • Video Blog
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #9 on: December 26, 2008, 09:53:09 PM »
unfortunately digital certificates are yet to find its right place in the digital world. It is totally under utilised and it has next to nothing in terms of validation standards. Apart from EV SSL (thanks to the committe i started in 2005).

Melih
« Last Edit: December 27, 2008, 12:03:30 AM by Melih »

Offline SiberLynx

  • Comodo's Hero
  • *****
  • Posts: 2194
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #10 on: December 26, 2008, 11:59:05 PM »
unfortunately digital certificates are yet to find its rightly place in the digital world. It is totally under utilised and it has next to nothing in terms of validation standards. Apart from EV SSL (thanks to the committe i started in 2005).
Melih
Thanks for response, Melih.

That's precisely what I was driving at (unfortunately)
Let's hope that will go through serious changes

Cheers!
Season's Greetings to you and yours and more success to the company!  (R)
« Last Edit: December 27, 2008, 12:02:36 AM by SiberLynx »
Main OS - Ubuntu
XP Pro, SP3 (32bit), Admin; Comodo Firewall 3.14.130099.587; Proactive with Defense+; Emsisoft Anti-Malware v9; Sandboxie
Win 7 x64, Admin (UAC off); Win7 advanced FW +TinyWall; Emsisoft Anti-Malware v9; Sandboxie
Win 7 Ultimate 32bit (UAC off); Emsisoft Internet Security v9 beta

Offline cbncom

  • Newbie
  • *
  • Posts: 1
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #11 on: January 04, 2009, 03:34:43 AM »


last year i got an MS Windows warning message that some program is making unauthorised copies of my files and programs; anti virus software is available; click to download etc. and viola. i downloaded a fake security patch that took control of my computer completely. it disabled my task manager, so i could no longer end tasks. it disabled my add/remove program option. it also froze my restore option in 'system restore' - the calender in the restore screen froze and i could never go back to an earlier version for restore! AND i could not edit my registry keys!!!

eventually after a lot of frustrated and wasted days and nights, I had to re-format the entire HD of 160 GBs, create new partitions and reinstall the OS, before getting my system to normalcy. It was a traumatic learning experience for me. if only i could have known that the MS Windows logo, in the warning message was fake !!!!. I could have avoided the nigtmare, and immensely been thankful to COMODO.

since then I tried various trial options of well known, branded (for the moment let them remain nameless) anti virus s/w downloaded from the internet. But they were more malicious than the malice they were supposed to fight, if you got on their wrong side!. i.e. at the end of the trial period, if you didnt buy them, then they would give more trouble than the virus / malware they eliminated (!). Add/remove program or Uninstal wouldn't work. They'll never go away. They would not also allow you to download / install another anti virus. Invariably one had to re-install the OS every time, to get rid rid of these 'high flying pests'.

that is when i discovered COMODO. It was like what they say Incredible but True. there was no trial period! and when they said free, it was FREE. Boy i couldnt beleive it. but i installed, tested, tried and now I swear by it. it was like a God Send to us. yes 'us' ; i have recommended it to so many friends and NOW they all swaer by it.  :Beer Thank you COMODO (L)

cbn pbn20081[at]gmail.com

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14647
    • Video Blog
Re: Inability to authenticate hits us right where it hurts - security!
« Reply #12 on: January 04, 2009, 09:13:11 AM »
thank you cbncom!

Fake AVs are one of the biggest problems of inability to authenticate a legitimate AV providers.

We are building even better security and usability with the next version of our products!

thank you

Melih

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek